Security Implications for Remote Administration
To administer Application Center, you must have administrative privileges.
You can administer Application Center by using any of the following:
Application Center snap-in.
Application Center Administrative site.
Application Center command-line tool.
Windows 2000 Terminal Services.
Application Center Snap-in
The Application Center snap-in provides complete remote administration. You can run the Application Center snap-in on an Application Center server or on an Administrative client. The Administrative client must have administrative privileges on the Application Center server. However it is run, the same administrative operations are available.
To enhance security, the administrator, even if logged on with administrative privileges, will need to re-authenticate their credentials to perform certain tasks—for example, to remove a cluster member.
Application Center Administrative Site
Application Center has a Web site that allows Web-based Administrative clients (by using Microsoft Internet Explorer 5.0 or later) to complete certain tasks. Secure access through the browser is maintained entirely through IIS and Windows 2000. For security reasons, the Administrative site allows only the following operations:
IP address management
Other operations, such as creating and managing a cluster, are not supported.
The Administrative Web site for an Application Center member can be reached through port 4242 (for example, http:// machine_name :4242). If necessary, the browser prompts for user authentication.
Note If the Administrative Web site is not required, you should block port 4242 at the firewall.
The Application Center Command-line Tool
The command-line tool does not allow the complete set of operations that the Administrative client provides. In particular, creating clusters is not supported. Sometimes it will be necessary to provide authentication for commands.
Windows 2000 Terminal Services
Terminal Services provides remote control for an Application Center cluster within a company's intranet. This may be via an Internet connection, such as VPN or through a direct connection (for example, a telephone line or ISDN) to the company intranet. Through Terminal Services, you can run the Application Center snap-in on any cluster member or the cluster controller.
Note Application Center does not encrypt client/server data. Therefore, it is important to use an appropriate VPN for data encryption.
For more information about authenticating command-line commands, see Authenticate the Command-Line User.
For more information about Terminal Services security issues and deploying content by using Terminal Services, see the Microsoft Windows 2000 Deployment Planning Guide.
For information about VPNs and using the Remote Access Service (RAS) for direct intranet connections, see the Microsoft Windows 2000 Internetworking Guide.
Did you find this information useful? Please send your suggestions and comments about the documentation to